Skip to main content

It’s not like it’s a motor car, its more valuable than that

Email Compromise

Nobody will want to target us, we have nothing to steal. We are not important enough. We are not big enough. All our email is in the cloud, so we are ok. These are some of the excuses we hear from Small and Medium business owners when we speak to them about the cyber risk associated with their email systems. Yet they all know how to protect physical company assets, like a motor vehicle.

Email continues to be the most used and invasive of all business systems and the rapid adoption of cloud email services has driven this access away from only the mail itself, but these identities have access to all the information and IP of the business. Email has evolved to touch every piece of sensitive and confidential piece of information across the entire business estate.

Research shows that there are ransomware attacks every 11 seconds and losses to cyber crime are estimated to exceed $6 Trillion. More than 60% of global cyber attacks are targeted at small and medium businesses and these business have disproportionately larger costs, relative to large business, to recover from a successful cyber attack. Various research reports also confirm that anything from 85% - 92% of all cyber attacks can be traced back to email compromise.

Do you still think everything is ok?

I believe the reason that so little is done comes down to a lack of understanding and a false sense of security. Small and Medium business owners think that because their email is in the cloud, their IT provider has everything covered. This is often not true. Less than 28% of businesses have basic security controls, such as MFA, in place and even fewer then register their devices correctly. All of this, along with a lack of visibility, makes it simple for your environment to be compromised.

Email, and the attached collaboration services, contains all of your business’ information including sales data, strategies, processes, pricing matrices and financial information. Knowing that you are a target is frightening, especially when you do not know where to start. So why not treat this the same way you treat your car? How can your email be like your car, lets unpack this.

When you invest in a motor vehicle you understand its value. You take active steps to keep the car in the best possible condition. This starts before you drive it off the showroom floor and continues for as long as you use it. The main steps can be simplified:

  1. You make sure that the registrations are all done correctly, the car has its own license plate and registration papers. This is to make sure that your car can be identified as being yours.
  2. You check that remote works and that when you push the button the car locks and unlocks, on top of this you then also park it securely when not in use. Your car is kept behind gates or walls and parked in the garage. You wouldn’t leave your car unlocked out in the open.
  3. You take many photos of your car, enjoying the beauty and maintain a living image of this investment. Making sure you capture it from all angles.
  4. When required you may even put on a steering wheel lock, adding an additional layer of protection to your car.
  5. Most people make use of CCTV or home security cameras, keeping an eye on your property to alert you to the possible danger of an intruder sniffing around the car.
  6. You also make sure to have insurance on your motor car, because even if you do everything mentioned above there is a possibility that there will be an accident, something could still happen and in the worst case scenario your insurance reduces your losses.
  7. Finally, you will also keep the car clean and service it regularly. You top up oil if needed and rotate the tyres. You do this to make sure that the car continues to perform as it should, maintains it warranties and keeps you driving safely.

So to protect your email and information, lets treat it like your car.

  1. You have your email domain and addresses, the registration process mimics the effective management of your DMARC compliance. By ensuring full DMARC compliance you are actively taking steps to identify that legitimate email sent from your domain is actually from you. This massively reduces the risk of email spoofing and shows your commitment to being a trusted member of your supply chain.
  2. Now that you have the general security covered on your cloud platform, lets layer this by placing your email behind an additional secure gateway that is complimentary to your email platform. Adding in the additional layers with targeted threat protection acts as the gates and garage for your information. Using effective encryption options keeps the doors locked on unwanted access.
  3. Automatic and secure archiving of all email should be in place to ensure compliance, provide business continuity and give you immediate access with forensic search capabilities.
  4. Adding the steering lock on your email is a critical step. This means you have actively placed additional layers of protection to keep your data secure and away from prying eyes or out of the cyber criminals hands. Multi Factor Authentication (MFA) must be implemented and devices correctly registered to add this protection
  5. Access controls, with visibility of the entire email tenant is highly recommended. People can be tricked to enter their details where they shouldn’t, they can be convinced to share credentials and without the visibility provided by a monitoring service that will alert you to an intruder, you will not know the bad actors are in your email until it is too late.
  6. Even with all the best intentions and the reduced risk, cyber insurance covers the gap in the event of the worst case scenario. By employing all the correct steps to prevent and detect attacks, your risk is reduced and this will lead to reduced premiums.
  7. Use a reputable and proven service provider to continually service your email and connected systems. This will keep it clean. The reality is that cyber security is a specialist arena and compliments your IT program. The building of a successful cyber resilience program needs a focused and specialist entity to stay ahead of the evolving threats that change all the time. Just as your service your car, your email and digital footprint needs adjustment. You cannot simply set and forget.

Email is not the same as a motor car, or is it?

John Mc Loughlin

  • Hits: 397